1.286. tigervnc

Updated tigervnc packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Virtual Network Computing (VNC) is a remote display system which allows you to view a computer's desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients.

Security Fix

CVE-2011-1775
It was discovered that vncviewer could prompt for and send authentication credentials to a remote server without first properly validating the server's X.509 certificate. As vncviewer did not indicate that the certificate was bad or missing, a man-in-the-middle attacker could use this flaw to trick a vncviewer client into connecting to a spoofed VNC server, allowing the attacker to obtain the client's credentials.
All tigervnc users should upgrade to these updated packages, which contain a backported patch to correct this issue.
Updated tigervnc packages that fix several bugs and add an enhancement are now available.
Virtual Network Computing (VNC) is a remote display system which allows you to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients.
Bug Fixes
BZ#588342
Xvnc could become unresponsive and the following error message was shown in the log: "[mi] EQ overflowing. The server is probably stuck in an infinite loop.". This was caused by a large number of user input events in the Xvnc event queue, which were being processed too slowly. With this update, this issue no longer occurs and the system works as expected.
BZ#628054
Prior to this update, Xvnc (the X VNC server; part of the tigervnc package) did not pass keyboard input to a remote VMware workstation because it did not take into account types of keyboards which do not have modifier keys. With this update, Xvnc recognizes all types of keyboards; thus, keyboard input is correctly passed to remote VMware workstations.
BZ#632530
When connecting to a remote machine, the default ".vnc/xstartup" file did not load the i18n (the default X locale settings) settings from the "/etc/sysconfig/i18n" file which caused the remotely accessed desktop to always use the "en_US" locale. With this update, the default ".vnc/xstartup" file loads the i18n settings and shows the correct locale.
BZ#634161
The tigervnc-server package was missing a perl dependency, causing the "/usr/bin/vncserver" script to fail to run. This update adds the perl dependency to the tigervnc-server package; thus, the "/usr/bin/vncserver" script runs as expected.
BZ#645755
The Xvnc server randomly refused connections when the reading of the password file (provided when starting Xvnc with the "-PasswordFile" option) was interrupted by a signal. With this update, the loading of a password file continues after an interrupt signal is issued and connections are no longer refused.
Enhancement
BZ#653491
TigerVNC (Xvnc, x0vncserver, the libvnc.so module, and vncviewer) now supports TLS encryption (using VeNCrypt) which allows TLS encrypted communication between a server and a viewer.
Users are advised to upgrade to these updated tigervnc packages, which resolve these issues and add this enhancement.